Insufficient 'write' privilege to the 'userCertificate' attribute

Latest response

Hi everybody. I’m testing ipa-server 2.1.3. I’m trying to create a Certificate for vsftpd.


I can successfully create the certificate with the following command:


# ipa cert-request --add --principal=FTP/ ftp.csr


But I want to create certificates with subjectAltName DNS extensions, and it seems that is not possible through an openSSL CRS and dogtag/IPA.


So I deleted the service entry, then I created again using:


# ipa service-add FTP/


Then, I try to create the certificate using the following command:


# ipa-getcert request -k /etc/vsftpd/private/ftp.key -f /etc/vsftpd/certs/ftp.crt -N "" -D "" -D "cn=ftp" -D "cn=le-303" -K FTP/


But I have the following error:


Request ID '20120108062420':

                status: CA_REJECTED

                ca-error: Server denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=ftp/ftp linux com py linux com py,cn=services,cn=accounts,dc=linux,dc=com,dc=py'.).

                stuck: yes

                key pair storage: type=FILE,location='/etc/vsftpd/private/ftp.key'

                certificate: type=FILE,location='/etc/vsftpd/certs/ftp.crt'

                CA: IPA



                expires: unknown

                track: yes

                auto-renew: yes


It looks like there is a problem with an ACI, or admin principal is not having enough privileges.


¿Anyone gime me some hints?


I need to sign certificates with DNS subjectAltName with IPA.


Thanks in advance.


Thank you very much to Rob Crittenden <> who provided the solution through the freeipa-users mailing list.



ipa-getcert executes using the host principal of the machine it is running on. If you really want this machine to do the request you can add it as a manager to the service:

# ipa service-add-host --hosts=<host_you_are_on> FTP/ # ipa resubmit -i 20120108062420

If you don't want certmonger tracking this forever you can tell it to stop once the cert is generated with:

# ipa-getcert stop-tracking -i 20120108062420